Ex-Financial Times Journalist Tom Foremski @ the Collision of Technology and Media

18

October

2010

|

02:35 PM

America/Los_Angeles

TRUSTe Responds To Facebook Privacy Leaks...

Facebook privacy policies are certified and monitored by TRUSTe, a private company that makes a big business out of issuing privacy seals for thousands of web sites.

In response to Facebook's recent privacy breach, in which apps developers shared private data about Facebook users, Fran Maier, President of TRUSTe, issued the following statements:

Today, the results of two notable privacy inquiries were released - one, a Wall Street Journal investigation into the personal information sharing practices of Facebook apps and advertisers and the other, TRUSTe's own nationwide survey of parents and teens on their privacy preferences and habits on social networks. The WSJ write-up alleges that many of the most popular apps on Facebook have been "providing access to people's names and, in some cases, their friends' names--to dozens of advertising and Internet tracking companies". You can read Facebook's response here.

While TRUSTe certifies the privacy practices of Facebook.com, we do not certify the privacy practices of third party applications on the site like those referenced in the WSJ's article. We appreciate, however, that ever-growing importance of these applications in peoples' lives and recognize that with growing popularity comes the need for greater privacy due diligence. Just last month we launched the first-ever mobile app privacy certification program, covering apps on all major mobile operating systems. Our mobile app certification program ensures that certified apps provide consumers with notice and choice regarding the collection and use of their personal information, including sensitive location data. We're committed now, more than ever, to delivering these privacy protections based around transparency, accountability and choice to the web-based application market. In the future we look forward to bringing greater privacy oversight to the social networking app space.

There are a lot questions and debate surrounding the implications of the WSJ's findings. The WSJ takes issue with Facebook users' information being passed on to advertisers, but what do users think about this practice on a high level? We found no clear consensus, with an almost even split for both teens and parents: 50 percent of parents and 46 percent of teens think advertisers should be able to show them ads based on their social network profile information or activity.

That's not to say parents and teens aren't concerned - they are. We found that 56 percent of teens and 66 percent of parents do not think social network applications used by their friends should be able to access their information. These stats underscore the importance of choice. Consumers want to make the call about when and with whom their personal information is shared - they don't want their friends or third parties making those decisions for them.

Permissions, data transfer and governance of data must be transparent and it seems in this particular case identified by the WSJ that better transparency was needed on all sides since even some of the players involved in passing this data were apparently unaware of their actions. And that's exactly where third-party privacy certification can help. Third-party privacy certification of social networking apps would also allow for the creation of uniform app standards - let us not forget that these same apps operate across other environments (like MySpace) and are not limited to the Facebook domain. Policing and monitoring apps is a difficult job and we're ready to help."

Foremski's Take: TRUSTe certifies web site privacy policies but, it turns out this does not apply to apps or mobile apps referencing the web site.

Facebook is one of the company's largest clients and one of its most problematic.

He said that TRUSTe worked very closely with Facebook to develop its privacy policies and pushed for very simple ways for users to opt-in to privacy controls. But it was a touch and go process and there were initially privacy policies that TRUSTe would not have certified.

But the use of the TRUSTe seal on Facebook is confusing. Does it certify adequate privacy provisions for user interactions or not? Or only if apps aren't used?

Connecting with an Application or Website. When you connect with an application or website it will have access to General Information about you. The term General Information includes your and your friends' names, profile pictures, gender, user IDs, connections, and any content shared using the Everyone privacy setting. We may also make information about the location of your computer or access device and your age available to applications and websites in order to help them implement appropriate security measures and control the distribution of age-appropriate content. If the application or website wants to access any other data, it will have to ask for your permission.

How can TRUSTe seals be used on this page if apps are not covered under TRUSTe's agreement? It certainly appears from the page that TRUSTe approves of everything in Facebook's privacy policy.

UPDATE: I spoke with Chris Babel, CEO of TRUSTe and he says that Facebook has complied with TRUSTe's policies in that it has quickly responded to the data leak and it suspended some of the applications. "That's exactly what we want to see."

He said that the privacy issue becomes very complicated with many layers, which is why TRUSTe recently launched its mobile apps certification program. And that an apps certification will soon follow.

This same issue affects Apple, another large TRUSTe client. Apple's web site is certified by TRUSTe but not the behavior of the iPhone apps unless an app provider seeks its own TRUSTe certification.